GDPR and nDSG Compliance Checklist for Swiss E-Commerce

7 min read

By Tiago Basilio

Why Swiss E-Commerce Faces Double Compliance

If you’re running an e-commerce site from Switzerland, you’re likely subject to two data protection frameworks: the EU’s General Data Protection Regulation (GDPR) and Switzerland’s new Federal Act on Data Protection (nDSG/revDSG), which came into force on September 1, 2023.

The nDSG aligns closely with GDPR in many areas, but there are differences. And if you sell to EU customers, which most Swiss online retailers do, you need to comply with both.

This checklist covers the key areas where data protection law meets e-commerce technology. It’s written from a developer’s perspective, not a lawyer’s. For legal advice specific to your business, consult a data protection specialist.

This article reflects what I’ve learned from implementing these requirements and including custom real-time tracking for ads across multiple e-commerce projects for Swiss businesses.

What the law requires

  • GDPR (for EU visitors): Explicit, informed consent before setting any non-essential cookies. Pre-ticked boxes don’t count. Users must be able to refuse cookies as easily as they accept them.
  • nDSG (for Swiss visitors): The nDSG doesn’t require prior consent for cookies in all cases, but the associated Telecommunications Act (FMG) does require consent for tracking cookies. In practice, implementing a consent banner for all visitors is the safe approach.

Implementation checklist

  • Cookie consent banner: implement a consent management platform (CMP) that blocks non-essential cookies until consent is given. Popular options: Cookiebot, OneTrust, or open-source solutions like Klaro.
  • Granular consent categories: allow users to consent to specific categories (necessary, analytics, marketing) rather than all-or-nothing.
  • No pre-ticked boxes: all non-essential categories must default to off.
  • Easy withdrawal: users must be able to change their consent preferences at any time, not just on first visit.
  • Consent logging: record when and what each user consented to, with timestamps. You may need to prove consent later.
  • Server-side enforcement: don’t rely only on the CMP’s JavaScript. Validate consent server-side before firing analytics or marketing tags.

2. Privacy Policy

What to include

Your privacy policy needs to cover (at minimum):

  • Identity and contact details of the data controller (your company)
  • Data Protection Officer contact (if you have one; mandatory under GDPR in some cases)
  • Types of personal data collected: be specific (name, email, shipping address, payment data, IP address, browsing behavior)
  • Purpose and legal basis for each type of data processing
  • Data retention periods: how long you keep each type of data
  • Third-party recipients: list all services that receive customer data (payment processors, analytics, email marketing, shipping providers)
  • International data transfers: if data leaves Switzerland or the EEA, explain the safeguards
  • User rights: right to access, rectification, deletion, data portability, objection
  • Swiss-specific: Under nDSG, explicitly state if automated individual decision-making is used

Implementation notes

  • Link the privacy policy from your site footer, checkout page, and any forms that collect personal data.
  • Keep it in plain language. Legal jargon helps no one.
  • If your site is multilingual, the privacy policy must be available in all languages you serve.

3. Data Collection and Storage

Minimize what you collect

  • Only collect data you need: do you really need a phone number for a digital product purchase? Date of birth for a subscription?
  • Separate shipping and billing data: don’t assume they’re the same
  • Guest checkout: allow purchases without account creation. Requiring an account to buy means you’re collecting more data than necessary.

Secure what you store

  • Encrypt personal data at rest: use database-level encryption for PII fields
  • Hash passwords: use bcrypt or Argon2, never MD5 or SHA-1
  • PCI compliance: never store raw credit card numbers. Use tokenized payment (Stripe, etc.) so card data never touches your server
  • Access controls: restrict who can access customer data in your admin panel. Log all access.
  • Data retention: automatically delete or anonymize data after the retention period expires. Swiss commercial law requires keeping transaction records for 10 years, but you don’t need to keep the customer’s browsing history that long.

4. Customer Rights and Requests

Under both GDPR and nDSG, customers have the right to:

  • Access their data: provide a way for users to download their personal data (account page export, or a process for handling manual requests)
  • Correct their data: allow users to update their profile, address, and contact information
  • Delete their data: implement account deletion that actually removes (or anonymizes) personal data. Note: you can retain data required for legal obligations (tax records, etc.)
  • Data portability: be able to export customer data in a machine-readable format (JSON or CSV)
  • Object to processing: especially for marketing. Unsubscribe links must work immediately.

Implementation notes

  • Build a data export feature into your admin panel. When a customer requests their data, you should be able to generate it in minutes, not days.
  • Account deletion should trigger a cascade: anonymize orders, delete the account, remove from mailing lists, notify third-party services.
  • Under GDPR, you have 30 days to respond to data requests. Under nDSG, the timeframe is also 30 days.

5. Email Marketing and Communication

  • Explicit opt-in: don’t add customers to your marketing list just because they made a purchase. Require a separate, unchecked checkbox.
  • Double opt-in: send a confirmation email before adding someone to your list. This is best practice and often required.
  • Easy unsubscribe: every marketing email must include a one-click unsubscribe link
  • Transactional vs. marketing: order confirmations and shipping notifications are transactional (no consent needed). Product recommendations and promotions are marketing (consent required).
  • List hygiene: regularly remove bounced addresses and unsubscribed users from your lists

6. Third-Party Services and Data Processing Agreements

Every third-party service that processes your customers’ data needs a Data Processing Agreement (DPA):

  • Payment processors (Stripe, Twint, PostFinance, Klarna): all major providers offer DPAs
  • Analytics (Google Analytics, Plausible, Matomo): check where data is processed and stored
  • Email services (Mailchimp, Brevo, etc.): ensure EU/Swiss data residency or adequate safeguards
  • Hosting provider: your hosting provider processes all data that passes through your site
  • CDN (Cloudflare, etc.): CDNs process visitor IP addresses and request data
  • Shipping/logistics: they receive customer names and addresses

Data transfers outside Switzerland/EEA

If any of these services are based in the US or other countries without an adequacy decision:

  • Check if Standard Contractual Clauses (SCCs) are in place
  • Under nDSG, verify that the country appears on the Swiss Federal Council’s list of countries with adequate protection, or that appropriate safeguards exist
  • Document all international data transfers in your privacy policy

7. Technical Security Measures

  • HTTPS everywhere: no exceptions, no mixed content
  • Security headers: Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security
  • Input validation: protect against SQL injection, XSS, and other injection attacks
  • Regular updates: keep your framework, CMS, and dependencies up to date
  • Breach notification plan: under GDPR, you have 72 hours to notify the supervisory authority of a data breach. Under nDSG, you must notify the FDPIC “as soon as possible”
  • Regular backups: tested, encrypted, and stored securely

A Note on Pragmatism

Perfect compliance is an ongoing process, not a one-time checkbox exercise. Start with the highest-risk areas (payment data, consent management, privacy policy), then work through the rest systematically. Document what you’ve done and what’s still in progress.

The goal isn’t to make lawyers happy, it’s to handle your customers’ data responsibly and transparently. If you do that, compliance follows naturally.

Need help building a compliant e-commerce platform? Get in touch or visit tedbin.com.

#E-Commerce #Switzerland #Security #Web Development